Sports betting giant Draftkings have informed unknown number of customers that their accounts have recently been hacked into a wave of credential stuffing attacks.
Draftings, a gambling company in Boston and established in 2012, offers sportsbook and daily fantasy sports (DFS) services and is an official partner of NFL, NHL, PGA Tour, WNBA, UFC and Naskar. More than 5,100 people are employed in draftings and recorded a revenue of $ 4.77 billion at the end of 2024.
In the data violation notification letters sent on Thursday, 2 October, draftings informed the affected customers that the attackers had reached their accounts and obtained the “limited amounts of their data” in the attacks, with all signs of credential stuffing campaign.
Credit stuffing consists of attackers using automated tools to make a dent in user accounts with other online services stolen services, a strategy that is particularly effective against those who reuse credentials on many platforms. The goal of threatening actors aims to capture accounts to steal personal and financial information, which can later be sold on the dark web or used for identity theft and other malicious purposes.
However, the company said that the attackers did not have sensitive data such as “the identity number issued by the government, full financial account number” or other information that enabled them to dent or steal identity in customers’ bank accounts.
“However, by stealing login credentials from non-drafts sources and using them in this attack, the bad actor may temporarily be able to log in to some drafts customers’ accounts,” Draftkings said,
“If your account was accessed, the attacker could see your name, address, date of birth, phone number, email address, final four points of payment card, profile photo, pre -transaction information, account balance and your password could see the date of change for the last time.”
In response to these attacks, the company will require potentially affected customers to reset passwords of their drafting account and enable multifactor authentication for login in DK Horse accounts.
Draftings advised customers to change passwords of their account as a precaution, review their bank accounts and credit reports, stop security on their credit report and set a fraud alert on their credit files.
He was not immediately available for comment when a spokesperson of draftings was contacted by Bleeping computer today.
Draftings also revealed in November 2022 that another credential stuffing campaign had stolen up to $ 300,000 from violated accounts. A month later, sports betting company returned hundreds of thousands of dollars to 67,995 customers whose accounts were hacked in the incident.
The FBI has warned over the years that the credential stuffing attacks are largely increasing threats due to the easily collected lists of leaked credentials and automatic tools.
Update 10/7/25: After publishing the story, Draftkings told the blemping computer that credential stuffing attacks affected less than 30 customers.
“Draftkings reported a possible security incident in less than 30 customers’ accounts,” a drafting spokesperson told Bleeping Computer.
“Our investigation has not found any evidence that the login credentials were obtained from the drafts or the computer system or network of drafts. The most important thing is that no customer has experienced financial loss due to this incident.
attend Violation and attack simulation summit And experience Future of security verificationListen to top experts and see how AI-Trained BAS Changing violations and imitations of attack.
Do not miss the event that will shape the future of your safety strategy
